Skip to navigation

Security Advisory Moderate: tomcat6 security update

Advisory: RHSA-2013:0266-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-02-19
Last updated on: 2013-02-19
Affected Products: JBoss Enterprise Web Server v2 EL5
JBoss Enterprise Web Server v2 EL6
CVEs (cve.mitre.org): CVE-2012-2733
CVE-2012-4431
CVE-2012-4534
CVE-2012-5885
CVE-2012-5886
CVE-2012-5887

Details

Updated tomcat6 packages that fix multiple security issues are now
available for JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise
Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Apache Tomcat is a servlet container.

It was found that sending a request without a session identifier to a
protected resource could bypass the Cross-Site Request Forgery (CSRF)
prevention filter. A remote attacker could use this flaw to perform
CSRF attacks against applications that rely on the CSRF prevention filter
and do not contain internal mitigation for CSRF. (CVE-2012-4431)

A flaw was found in the way Tomcat handled sendfile operations when using
the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker
could use this flaw to cause a denial of service (infinite loop). The HTTP
NIO connector is used by default in JBoss Enterprise Web Server. The Apache
Portable Runtime (APR) connector from the Tomcat Native library was not
affected by this flaw. (CVE-2012-4534)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

A denial of service flaw was found in the way the Tomcat HTTP NIO connector
enforced limits on the permitted size of request headers. A remote attacker
could use this flaw to trigger an OutOfMemoryError by sending a
specially-crafted request with very large headers. The HTTP NIO connector
is used by default in JBoss Enterprise Web Server. The APR connector from
the Tomcat Native library was not affected by this flaw. (CVE-2012-2733)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of Tomcat should upgrade to these updated packages, which resolve
these issues. Tomcat must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v2 EL5

SRPMS:
tomcat6-6.0.35-6_patch_06.ep6.el5.src.rpm
File outdated by:  RHSA-2013:1011
    MD5: ad1cf80f14408e5bc8e3d61d00ecaf03
SHA-256: f0206f8a9e82dedca477ffcddd8ef5cb28859b2b60705738247611f99c871ee0
 
IA-32:
tomcat6-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: c02580f4888865582fa5a6327cfc1e70
SHA-256: a18fee1bfd36be88bb910565e1b6941d4d695e072bb5075a2f7901a4cb9fc527
tomcat6-admin-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 07ca6eaad85c63b399cd4a1748cf202c
SHA-256: c97f41770436ae2e8d54899544820e32ed521d01b3509caf09634dbe4193e211
tomcat6-docs-webapp-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 18a016f41bb6c07f8de6860ef607fef5
SHA-256: 84cfebe591b2d982750126e010004826e872688125c42a7f87571cde901494dc
tomcat6-el-1.0-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: cd3b00d707a71578262c96fd1ee27199
SHA-256: f256a9c86bc20e5f1dc58df8c74ff93b8a35741e4c1d6eb519dcfe51b7aa8d17
tomcat6-javadoc-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 130691d8fa8fd392ef1eef0ace60f9d3
SHA-256: 6d4e3fcbd4b65a11678d1d850e2e1ac76fce536b833806fccda92e900c3ea4b4
tomcat6-jsp-2.1-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: e119111d3c8218b65145ac0ca6150dd6
SHA-256: 398874ea055d6579727eb8d16dd2aeade1fb6e78d9955cfcc132d08d7bf7ea44
tomcat6-lib-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 7473759e53db9ee4f427dffce139833c
SHA-256: 001734ba8303a62154a1c5b53e3d9cd2dcde1da3a5814e001f9f5c0c70e0b7a3
tomcat6-log4j-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 03453138cc55db0068afeb630dc3015a
SHA-256: df2b4a572a91f6602b65ae5736f532f89d944a13427ba7e49677ffc553b819ae
tomcat6-servlet-2.5-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 18212bd5ed3a1d94e0c040cdf9ea7c7d
SHA-256: a8dd2e7395063f331481aeb53d8ed6c0664cbe52580bb0c353c62341e61ad467
tomcat6-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 63ceb1f7acfcc2a90e67293f3141ac7e
SHA-256: 47f8dca27ccafdfc8ae16845d9e29784ecf09dd6144086cc90ca9710ad832ef5
 
x86_64:
tomcat6-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: c02580f4888865582fa5a6327cfc1e70
SHA-256: a18fee1bfd36be88bb910565e1b6941d4d695e072bb5075a2f7901a4cb9fc527
tomcat6-admin-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 07ca6eaad85c63b399cd4a1748cf202c
SHA-256: c97f41770436ae2e8d54899544820e32ed521d01b3509caf09634dbe4193e211
tomcat6-docs-webapp-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 18a016f41bb6c07f8de6860ef607fef5
SHA-256: 84cfebe591b2d982750126e010004826e872688125c42a7f87571cde901494dc
tomcat6-el-1.0-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: cd3b00d707a71578262c96fd1ee27199
SHA-256: f256a9c86bc20e5f1dc58df8c74ff93b8a35741e4c1d6eb519dcfe51b7aa8d17
tomcat6-javadoc-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 130691d8fa8fd392ef1eef0ace60f9d3
SHA-256: 6d4e3fcbd4b65a11678d1d850e2e1ac76fce536b833806fccda92e900c3ea4b4
tomcat6-jsp-2.1-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: e119111d3c8218b65145ac0ca6150dd6
SHA-256: 398874ea055d6579727eb8d16dd2aeade1fb6e78d9955cfcc132d08d7bf7ea44
tomcat6-lib-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 7473759e53db9ee4f427dffce139833c
SHA-256: 001734ba8303a62154a1c5b53e3d9cd2dcde1da3a5814e001f9f5c0c70e0b7a3
tomcat6-log4j-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 03453138cc55db0068afeb630dc3015a
SHA-256: df2b4a572a91f6602b65ae5736f532f89d944a13427ba7e49677ffc553b819ae
tomcat6-servlet-2.5-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 18212bd5ed3a1d94e0c040cdf9ea7c7d
SHA-256: a8dd2e7395063f331481aeb53d8ed6c0664cbe52580bb0c353c62341e61ad467
tomcat6-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 63ceb1f7acfcc2a90e67293f3141ac7e
SHA-256: 47f8dca27ccafdfc8ae16845d9e29784ecf09dd6144086cc90ca9710ad832ef5
 
JBoss Enterprise Web Server v2 EL6

SRPMS:
tomcat6-6.0.35-29_patch_06.ep6.el6.src.rpm
File outdated by:  RHSA-2013:1012
    MD5: 28c0c43ca6557c2e8a655f896a592e7d
SHA-256: 500c01af36715c025ef5b43ef7284bb5aaabc3651d2a20e2906350dbe0defc0e
 
IA-32:
tomcat6-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 3cfb229b0ef8baa41530a98f9aa3d5d9
SHA-256: 1f5a20675db2d1de6d4bb301f0716d5a22cb07531f989276f0ea4f12458185f6
tomcat6-admin-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: f9af471907d4fa5d324083e9dddb2aa9
SHA-256: 580d9d95b5d23fb2e3955e581374441b0be5af481b9652d000a26e53879becf2
tomcat6-docs-webapp-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 25dca6b509297f6f8dc1bf50402d731b
SHA-256: 8a37863d42026c903bae24c932740247a48bc37d213d4a7cb4c2103ee501cfd2
tomcat6-el-1.0-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: fd6aae8654a3790bb22697f7a50376d8
SHA-256: 0fac1be5ab6fedf42acf11f452741228c974f299b41000d87e9a45bb89c136fd
tomcat6-javadoc-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 257d2da83597675bbf614e5284131ac2
SHA-256: b9b1a4af84570a852fb2263bf4812aedce2f67ea3b9520fa21b266ec24ca02c6
tomcat6-jsp-2.1-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 376049a91b4a7462291eec9a8f900e55
SHA-256: f71239c415c84ef342be1dcbcba00fe6a17d5a6f8e098aa2cc177e31a609dbfb
tomcat6-lib-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 42009c011bd7766fd9545eb5a4903ec7
SHA-256: f0243c37f6488cfa4783019a07a04fe6373868a67eb070af028317c7f23f42ed
tomcat6-log4j-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 71fc1043163074a9062a63ed86f6aae6
SHA-256: 0c511e1d31f1ac32ed6214645aa44f7bcfca0c3a028b34b0172cfa256741bcc7
tomcat6-servlet-2.5-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 38efc4e3e03d214c688870b7dfb1ecfa
SHA-256: 19e1dc1a06454d31ddc492efd0fc7ddb1d9b828d1eecce032d183f95d92ffdf6
tomcat6-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: e1f59bbed345c842aa0503602b940380
SHA-256: 6838dbb155e0ce863ca2969c4464c8998e046cd54db637e06e04d955d24af450
 
x86_64:
tomcat6-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 3cfb229b0ef8baa41530a98f9aa3d5d9
SHA-256: 1f5a20675db2d1de6d4bb301f0716d5a22cb07531f989276f0ea4f12458185f6
tomcat6-admin-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: f9af471907d4fa5d324083e9dddb2aa9
SHA-256: 580d9d95b5d23fb2e3955e581374441b0be5af481b9652d000a26e53879becf2
tomcat6-docs-webapp-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 25dca6b509297f6f8dc1bf50402d731b
SHA-256: 8a37863d42026c903bae24c932740247a48bc37d213d4a7cb4c2103ee501cfd2
tomcat6-el-1.0-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: fd6aae8654a3790bb22697f7a50376d8
SHA-256: 0fac1be5ab6fedf42acf11f452741228c974f299b41000d87e9a45bb89c136fd
tomcat6-javadoc-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 257d2da83597675bbf614e5284131ac2
SHA-256: b9b1a4af84570a852fb2263bf4812aedce2f67ea3b9520fa21b266ec24ca02c6
tomcat6-jsp-2.1-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 376049a91b4a7462291eec9a8f900e55
SHA-256: f71239c415c84ef342be1dcbcba00fe6a17d5a6f8e098aa2cc177e31a609dbfb
tomcat6-lib-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 42009c011bd7766fd9545eb5a4903ec7
SHA-256: f0243c37f6488cfa4783019a07a04fe6373868a67eb070af028317c7f23f42ed
tomcat6-log4j-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 71fc1043163074a9062a63ed86f6aae6
SHA-256: 0c511e1d31f1ac32ed6214645aa44f7bcfca0c3a028b34b0172cfa256741bcc7
tomcat6-servlet-2.5-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 38efc4e3e03d214c688870b7dfb1ecfa
SHA-256: 19e1dc1a06454d31ddc492efd0fc7ddb1d9b828d1eecce032d183f95d92ffdf6
tomcat6-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: e1f59bbed345c842aa0503602b940380
SHA-256: 6838dbb155e0ce863ca2969c4464c8998e046cd54db637e06e04d955d24af450
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues
873695 - CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a request with large headers
883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter
883637 - CVE-2012-4534 Tomcat - Denial Of Service when using NIO+SSL+sendfile


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/